From 699ddfcb2592a3e2a481935f6f0669c3e10e3c73 Mon Sep 17 00:00:00 2001
From: Bryan Thompson <bryan@snowboardtechie.com>
Date: Wed, 20 May 2026 10:03:02 -0700
Subject: [PATCH] ci: gate audit-deps step to PRs into main for lib/* workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The lib/* CI workflows (ci-lib-ts-sdk, ci-lib-cli, ci-lib-core,
ci-lib-changelog-emitter) ran the audit-deps step on every PR matching
their path filters, regardless of base branch. When an advisory lives
on main and can only be fixed there (e.g. brace-expansion in #842),
PRs into HOLD-* batching branches failed audit with no path to action
for the PR author — the fix has to land on main first, then HOLD
rebases.

Under the HOLD-* batching strategy, each HOLD branch eventually opens
a single PR into main at the checkpoint. That PR re-runs audit, so any
advisory live at merge time is gated at the actionable boundary.
Auditing intermediate PRs into HOLD-* shifts noise earlier without
shifting the fix earlier.

Gate is base_ref == 'main' OR ref == 'refs/heads/main' so it also
covers any future workflow_call invocation from a main-push context.
---
 .github/workflows/ci-lib-changelog-emitter.yml | 7 +++++++
 .github/workflows/ci-lib-cli.yml               | 7 +++++++
 .github/workflows/ci-lib-core.yml              | 7 +++++++
 .github/workflows/ci-lib-ts-sdk.yml            | 7 +++++++
 4 files changed, 28 insertions(+)

diff --git a/.github/workflows/ci-lib-changelog-emitter.yml b/.github/workflows/ci-lib-changelog-emitter.yml
index d2ce878c..60a4326e 100644
--- a/.github/workflows/ci-lib-changelog-emitter.yml
+++ b/.github/workflows/ci-lib-changelog-emitter.yml
@@ -38,7 +38,14 @@ jobs:
         run: pnpm --filter typespec-versioning-changelog run test:coverage
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter typespec-versioning-changelog run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter typespec-versioning-changelog
diff --git a/.github/workflows/ci-lib-cli.yml b/.github/workflows/ci-lib-cli.yml
index c5048ccb..1345d83a 100644
--- a/.github/workflows/ci-lib-cli.yml
+++ b/.github/workflows/ci-lib-cli.yml
@@ -43,7 +43,14 @@ jobs:
         run: pnpm --filter @common-grants/cli run build
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/cli run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/cli
diff --git a/.github/workflows/ci-lib-core.yml b/.github/workflows/ci-lib-core.yml
index c630e6f4..ec3b01cc 100644
--- a/.github/workflows/ci-lib-core.yml
+++ b/.github/workflows/ci-lib-core.yml
@@ -40,7 +40,14 @@ jobs:
         run: pnpm --filter @common-grants/core run typespec
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/core run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/core
diff --git a/.github/workflows/ci-lib-ts-sdk.yml b/.github/workflows/ci-lib-ts-sdk.yml
index 2641b3b4..b634c81d 100644
--- a/.github/workflows/ci-lib-ts-sdk.yml
+++ b/.github/workflows/ci-lib-ts-sdk.yml
@@ -40,7 +40,14 @@ jobs:
         run: pnpm --filter @common-grants/sdk run test:coverage
 
       - name: Audit dependencies
+        # Gated to PRs into `main` (and main-context workflow_call invocations) so
+        # advisories that live on `main` and can only be fixed there don't block
+        # PRs into HOLD-* batching branches or other non-main bases. The HOLD → main
+        # checkpoint PR re-runs this audit, so anything live at merge time is gated
+        # at the actionable boundary.
+        #
         # Calls the npm bulk advisory endpoint directly as a workaround for
         # pnpm audit 410 errors (pnpm/pnpm#11265). Remove this script and
         # revert to `pnpm --filter @common-grants/sdk run audit` once pnpm ships native support.
+        if: github.base_ref == 'main' || github.ref == 'refs/heads/main'
         run: node ${GITHUB_WORKSPACE}/.github/scripts/audit-deps.js --filter @common-grants/sdk